Malware Analysis Report

2024-10-19 02:36

Sample ID 240127-cantsaagf9
Target 78f92ab7f036ac56b81b11c26bde3f04
SHA256 63634e6216314ba19543cd53527712010c3a1b9538b52081478072f2ef1fbbe8
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63634e6216314ba19543cd53527712010c3a1b9538b52081478072f2ef1fbbe8

Threat Level: Known bad

The file 78f92ab7f036ac56b81b11c26bde3f04 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 01:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 01:52

Reported

2024-01-27 01:55

Platform

win7-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe

"C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewafxq25.top udp

Files

memory/2164-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2164-2-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2164-3-0x0000000000310000-0x00000000003B0000-memory.dmp

memory/2164-4-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\_Files\_Information.txt

MD5 d0de8cc2ed8f22cc0d9d4c28b7d72ad6
SHA1 e8379373de1fed5284b4211d4bdfd76179ce2011
SHA256 748a40753d8feff9eba6b496a05d3c101a5245371f3a67c8f27b30037769183b
SHA512 1b65ececf3db85385536f58b81588a97cfcfee56f09638ef98dcaa673523188b587a6384f8ff9715963588400cdfebd8ace3f42bcf67b2e43766a0bed4f899cc

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\_Files\_Information.txt

MD5 fd95f68c43906a5570cff1e5cd184aa3
SHA1 313ee501d56fafe5332117a2e332b383d36ef75f
SHA256 6afc67c97d3be96eb41ac83ecc7d589c7fd2f7d653e22f21f1b09dd3446369a1
SHA512 8425d4475661b96bb0b3116b682c05ed33780ed2b447ee98ed1cee3b3de1662795efbf5408b846450ec5076618b6776af5de26e28afb3f59426f1311ebe55213

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt

MD5 7c9912ef456bc3bab65bd5fbdcf02ac4
SHA1 172d77b4c72746c0ca128baa6c7e2246411d1b9e
SHA256 7f9548856ec227458c6bc5fd64cef0ed8fabc7a6dfee157ffe834efd836f59bb
SHA512 75594853f20b51b934caa3f329545d0a50c6b995bad9364244f2f77ef754081ba39182aec4efddc033ced60444be8d453786015f7eb4a92349a5f45675bf5756

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt

MD5 4e3555b631f3bba55f132e0754b519f1
SHA1 ca2bde11e0617bf24142aff81516a4617f618a14
SHA256 7f0dfb37d2c8f755333851106d44bd74eddab176f2915d54c84b8e47bb7d5ba1
SHA512 b2b7b2a59eda0f82e54706ea84a99e50ae0832cb8ed0bdc31b9fdcd697f756f4cb9ac583d6d8789f5ab115a10a075786f00a0138f8f860e7af9c0f67bfba9ba4

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt

MD5 7ec690cb013c5fd23dd8fe271cd5a55f
SHA1 186ee75cf5d3fb93f1d6257e5c4652628c4e0e4c
SHA256 5079ad9ace3287baf7833b5a511e3faac342ed51fe42bbab895a63edae348634
SHA512 0ece96a332f719a06f4fea5f2d39f5a445588a55ede583fdcaa804acef7b379f9311f01394968ba8a8b048ad47e9574043a0663b4a64ed09a111ec09db8e7bde

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt

MD5 4426c8d7b94ae359dec2bb162c27d6f4
SHA1 f004cfb6dc7d4f50e91b9020045b752ab564e855
SHA256 e78a6542a48d697910550bc7485688e68350d5c803da3284bdec4d0e33873be1
SHA512 47ce66710c9bb5ebf803e259c6bf9bc0b386d2c405c60cf6cf78e25d90c89e06811623692fc1e351a9623bea501a688e404152ab42d0d7d7f9b8e272f6babd38

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt

MD5 c086e84d1c465310a8724ae54ac762e8
SHA1 c0253a97a77e7a980dc860103a4dad0b90935679
SHA256 6a7abc43463edc2b446ce9354ecf293986499dd6dc8c9bd9c4ab96e10f4e4128
SHA512 99bd613e563dbb883e62259b1b9bbb48cc4bd23cea3150f7d945828c35193d2007ff81dc4c62fc2aaf5b3d3d4c420e2bd3809f4fe9b31cc0b3ef798aa01073ed

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\_Files\_Screen_Desktop.jpeg

MD5 242f8cf826146fef8e06f754b98d6f21
SHA1 29db1573df81ace41f4a2c7650fe45ceb2e2a13f
SHA256 010a7cf8503e0750980779aacd44f9999ec177fcb7a6e34c93ba361a3b273731
SHA512 879e1335a1f39fadeac70782c4d2cc4a5a14ff6e7d46207f7f845de29b037498095b47f8c1248cf5d7af5358cc39be56d5770022fde3f5b1e39d06aa737dc550

memory/2164-221-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2164-223-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2164-226-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\V4MK2neojgqr.zip

MD5 72ae031302d13f537d1905acc1c3a360
SHA1 4363827fd7dc6aa315ef04611a2bfa2f4cf39d7c
SHA256 f8b70550a42f0b58145bf360cfb83be18541951e7dda4f4c48fab6652aee736d
SHA512 27d16f7e8554909cd43df18eddbd7cad86302ddb46affb6dc12b439b81a22f79bef4734ccdeb0a97e936b2c6c17b5986b79c49d6f515c64ea1734386a2f0decd

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 01:52

Reported

2024-01-27 01:55

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe

"C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 morzup02.top udp
US 8.8.8.8:53 morzup02.top udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 morzup02.top udp
US 8.8.8.8:53 morzup02.top udp
US 8.8.8.8:53 morzup02.top udp

Files

memory/2348-1-0x0000000000500000-0x0000000000600000-memory.dmp

memory/2348-2-0x00000000020F0000-0x0000000002190000-memory.dmp

memory/2348-3-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2348-4-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\_Files\_Information.txt

MD5 2e6d1f9715cd85fb66beaa5f00f14a08
SHA1 43c1adbcaf15ff5356df185ae0cb8ea3d35d2d60
SHA256 393db304c4e6a5132f01f495514f9aed22c1f68226e33c570891dc24bb693b18
SHA512 23a42878c2a6bef2c254aa89f79952266a1dfa605ca468cc6fa2ed623dfe78129fe430bcb58018e8f9250f6afe90152618023b9508e2db0a7bf736f6669a87bc

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\_Files\_Information.txt

MD5 519a50303fb00332581cee46fdd7ba85
SHA1 083f55f36d37d6b1b5d4bed11d0b00489ca4fa10
SHA256 a246ecfbf198d93561a13f13fbc1afcdd6ee9a31cb28417f5f34f51fb25961e1
SHA512 63dec744c186dc4a08df2f5c6550538a9d026328c671799b254919b0f6f280a72ba3d35f2694aaae23af9f123221c235742b078fcdb02fc8d241b6b6f4674acb

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\_Files\_Screen_Desktop.jpeg

MD5 d024721a7143412d574f21e43afe606b
SHA1 b31fe8ee8fe2493945b3a298b2715a603b5c3674
SHA256 41dff22f03e4c72be0d461046088d2b70e74ee41bfa41c21d55dbea39d6add0e
SHA512 376abc4be47d397867538f826562382f7e110815c18c48e8ccf488e9e11d45f291053d24cb1a24ab9ed2805f556ff19e77606c57c4c75c0365c12ca51bd88d4f

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\files_\system_info.txt

MD5 ec5c17b55260bb99d4481655f594936a
SHA1 7560dd42cdee6827fbb16ec48436aa7c6962dfcc
SHA256 e68b979104a1511b20ef9ec8d04cb9a7079ca32e9f9a121f6ed6aa7a1c17f160
SHA512 a6d218b1fff01263dc7decbbe53c943a97b91d9f70cb339d8b6daf37d98f9cbfa8db1ed9a83d27dc70c5d3ecdba849cac527ff9f10da4d1a2ee2ba600dfbcb22

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\files_\system_info.txt

MD5 6286f4f6c98ffe4acebb8de123400907
SHA1 6b5af520ce29b3e270ed4d60b10ace5e83b87eeb
SHA256 903777a510fa7d4b056f8bd0e8a1cc09d1fa2f4b73799cf7fb21050f604d21e6
SHA512 64a052f587c96c82922fa442fbc1cd854391a80e07ddd0656fbc21c1694d5d0b7389c73e3c1c0da73dbe504ffddf4e3284834d2f3c5b10f15569414052b3c8b4

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\files_\system_info.txt

MD5 5e4a241ab0c42ca0741fb5a038c321a9
SHA1 575fda6baf57a5a58e39b08a36ccda5b7f78abf2
SHA256 e2449fc8a0f2a499c7f4b99ec19b24e36d18da20f14f311d1a17d9346721847c
SHA512 3851914e085280c176e60f39ea225864de32aca0187d05cdf8af0bc8635557699387474063321fe9486ecb99a43194f557587f7277fd69976946e763d0b4437c

memory/2348-208-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2348-210-0x0000000000500000-0x0000000000600000-memory.dmp

memory/2348-211-0x00000000020F0000-0x0000000002190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\KiGmKA8NfANjW.zip

MD5 47edf0f7993b3fc971a0c81d9dbf9723
SHA1 01a4f849c6ec64818c32e27f494ed5b3781b3bd0
SHA256 79691e0f07b2dd1ac31711570553212d4e23b46631d8f8955efd878d00fd2a4c
SHA512 559eb5b381cd313c2ad4599603aa6d3b657ea72a17a0a35e6b3a3efe165260a59d3d59b5eaeb9b6095f88e1ab6b5076ea71edd8370062597f9b0308b2a2131cd

C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\n8t4bwg5BM.zip

MD5 e7cd7c5fbb774dfb83b089de03f0be94
SHA1 205cba93ce83f702d87bc9040998f20b8bb314bf
SHA256 980a46f3494071436dc0a15a571ba68f9f6c51a0c55ede1a4793bbe1624e7b91
SHA512 9775a819e5e4da7336a2bc1e11cc58c107548f9ba7b64ce59746c8d41bd53a5bf75251564e78df107c38076c2a04d83b4cae32d94b87bc5fd9ec73f03d117771